We were contacted by an individual who had applied to register his business on a directory of recommended and trusted tradespeople. He had been asked to provide the company with a copy of either his basic criminal record (from Disclosure Scotland) or his police record (via a subject access request).
A subject access request provides extensive details of information held by the police, and includes details of all convictions and cautions recorded on the Police National Computer, including those that are spent.
On 10th March 2015, ‘enforced subject access’ was made unlawful, and we were keen to establish whether the directory had changed their policy as a result of this legislation. Our view was that it was unlawful for the organisation to request a copy of police records, even if they did it in the context of giving the applicant a choice.
The directory confirmed that following the enactment of section 56 of the Data Protection Act 1998, they had changed their policy with regard to the vetting of potential applicants and had removed references to police records.
For new applicants, the directory requested that they provide a copy of their basic criminal record check. They told us that any applicant with unspent convictions for fraud, theft or aggressive/violent behaviour would be refused entry onto the scheme. The directory did not make public details of the criminal record check and did not retain copies of the certificate.
If the directory receives information that an existing member has a conviction of which it is unaware, the member will be asked to provide a basic criminal record check in order for the directory to assess the risk the member poses to members of the public.
This case highlighted the need for companies to be constantly aware of changes in legislation which can affect their recruitment practices and can make previous processes potentially unlawful.
- We have practical guidance on checking criminal records, including specific guidance on police records and subject access requests.